Page 1 of 1
XSS and reference manager
Posted: Tue May 15, 2018 9:43 am
by ezellohar
Hello, I'm using the reference manager Endnote. It uses a script to import references into my personal database. When it tries to do its stuff, it's blocked by xss protection.
Console reports this error:
Code: Select all
Bloccato il caricamento di contenuto misto attivo (mixed active content) “http://www.myendnoteweb.com/Bookmarklet/Bookmarklet.html?func=editCap&WNToolbar=off&captureID=WvqqPArYHK0AAB8LM9c”
Should I write an exception in XSS option? I hope to have provided all necessary information.
Thank you
PS: I tried to post the script but the antispam filter blocks me
Re: XSS and reference manager
Posted: Tue May 15, 2018 2:30 pm
by barbaz
That console message looks unrelated to NoScript.
As a test, does disabling NoScript (Tools > Add-ons Manager > NoScript > Disable > Yes, remove ALL protections) get it working?
Re: XSS and reference manager
Posted: Wed May 16, 2018 12:46 pm
by ezellohar
yes, when disabled it works. It works even if I use the 'reload page without protection' under the XSS tab. that's why I posted it with the subject. How can I provide more information to analyze the problem?
Console also give me this:
Code: Select all
[NoScript XSS] Upload sospetto verso [https://www.myendnoteweb.com/Bookmarklet/Bookmarklet.html?func=capture###DATA###<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="content-style-type" content="text/css">
<meta http-equiv="content-language" content="en-gb">
<meta http-equiv="imagetoolbar" content="no">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="copyright" content="2000, 2002, 2005, 2007 phpBB Group">
<meta name="keywords" content="">
<meta name="description" content="">
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7; IE=EmulateIE9">
<title>InformAction Forums ⢠Post a reply</title>
<!--
phpBB style name: prosilver
Based on style: prosilver (this is the default phpBB3 style)
Original author: Tom Beddard ( http://www.subBlue.com/ )
Modified by:
NOTE: This page was generated by phpBB, the free open-source bulletin board package.
(this is trying the script here)
Re: XSS and reference manager
Posted: Wed May 16, 2018 2:51 pm
by barbaz
If you trust that Endnote is not vulnerable to XSS, try adding this line in NoScript Options > Advanced > XSS > Anti-XSS Protection Exceptions -
Code: Select all
^https://www\.myendnoteweb\.com/Bookmarklet/Bookmarklet\.html\?